Insecure Direct Object Reference [CVE-2014-9184]

The modem usually
serves html files & protects them with HTTP Basic authentication. however,
the cgi files, does not get this protection. so simply requesting any cgi file
(without no authentication) would give a remote attacker full access to the
modem and then can easily be used to root the modem and disrupt network
activities.

So requesting gateway
(in this case, 192.168.1.1) would result HTTP Authentication request, but
simply requesting http://192.168.1.1/main.cgi will bypass it.

PoC:

http://192.168.1.1/adminpasswd.cgi
(will result admin password change page) - viewing the source will show the
current password (unencrypted)

The page does not
contain current password, also have no ani-CSRF token. wtf!

CSRF based Stored XSS

http://192.168.1.1/adminpasswd.cgi?action=save&sysUserName=%27;alert%280%29;//&sysPassword=37F6E6F627B6
- letting an admin visit this link would result the admin username changed to
';alert(0);// also a stored XSS in the home page.

Admin account override CSRF [CVE-2014-9019]

There is no token/capcha or even current password prompt when the
admin changes the password, and credentials are sent over GET.

If an authenticated admin browses that link their credentials will
become admin:yibelo

UI Redressing

The modem (like most modems) does not have a
clickjacking protection. thus, can be used to modify settings, override admin
accounts by a simple clickjack. forexample by using
http://192.168.1.1/adminpasswd.html it is possible into tricking an admin
submit a form with our credintials (since it doesn't require current password)

Not Using SSL

The modem does not use HTTPS, so anyone can use MiTM to sniff ongoing
actions, possibly gain user credentials.

Unrestricted privileges

Anyone who is connected to the modem with Telnet or tftp is root.
simply telneting and authenticating as admin:admin and typing sh and echo $USER
would prove that.

Enable Remote Access CSRF [CVE-2014-9027]

Using this an attacker can trick an admin visit a page that tricks
them into enabling remote access to the modem out side of the LAN.

so an attacker can attack the modem out side the lan; then an
attacker can use this to escilate the attack.

Conclusion

from all those exploits, its easy to construct a remote root command execution exploit against any of these modems.

1. Make a logged in admin enable remote access for us with http://192.168.1.1/accessremote.cmd?remoteservice=pppoe_8_81&enblicmp=1&enblftp=1&ftpport=21&enblhttp=1&httpport=80&enblsnmp=1&snmpport=161&enbltelnet=1&telnetport=23&enbltftp=0&tftpport=69&enblssh=0&sshport=22 (Only if we are outside LAN)

2. Go to http://192.168.1.1/adminpasswd.cgi and change admin password or copy the current one (recommended)

3. telnet to 192.168.1.1 with the admin password and username (most likely admin:admin) and what do you know,

About Paulos

I am currently specializing in application security and client side offensive exploit research. I really enjoy breaking things. I occasionally do bug bounties, with notable references such as Coinbase, Facebook,Twitter& more.